Introduction
Key Takeaways
As the business development director of the state, local, and education (SLED) channel at Foresite Cybersecurity, Tracy Fox helps organizations realize that ongoing cybersecurity and compliance doesn’t have to come with an enterprise price tag.
We recently sat down with Fox to find out how Foresite approaches cybersecurity and compliance, what that means for SLED clients, and the key to the company’s impressive retention rate.
1. What does Foresite do and what is your role?
We are a cybersecurity and compliance services provider. But when I talk to clients, I tell them we help protect data. In the end, that’s really our objective.
My role is helping spread awareness within the SLED channel, both with our partners and prospects, of what we do and why it's important for them — making sure they're aware of new solutions like ongoing compliance management and tracking.
2. What solutions/services does Foresite offer?
We have three core service areas. The first is security, information, and event management (SIEM)/security operations center as a service (SOCaaS), providing the SIEM for log collection and correlation.
We have business rules that help detect alerts. We bring in logs from various sources and are vendor agnostic, so we don’t need the client to stay within one stack.
And then we could also look for unusual activities. We have cyber testing as well as our cyber compliance consulting practice, which are our other core service areas.
3. What differentiates Foresite from others in the space?
We work through a partner channel, so clients have separation of duties from the vendors who recommend, implement, and provide the day-to-day support of their technology. So, they have their MSP or their VAR that recommends and implements solutions and sometimes provides day-to-day support, and we can come in as the independent testers, assessors, or even the monitoring piece.
Because of our focus on security and compliance, we're going to give a different lens to what they might be getting from, say, an MSP. You don't want the same people implementing and assessing if they didn't know how to make it secure or compliant in the first place. It's a good check and balance for the client.
I'd say the other thing, though, is our customer satisfaction level. We've maintained a retention rate in the 90th percentile since we started over a decade ago.
Clients often come to us for a single service and then over 80% of the time, they expand on the services because they see the value we provide in increasing their security and reducing risk.
And because we work through so many different partners, if a potential client has to buy out of a contract with an existing provider, we can probably find a way to make it work for both of you.
4. You recently went from the commercial team to building out the SLED practice. How has that transition been?
My technology career started in SLED, so it’s a familiar space and the challenges haven’t changed. Plenty of need and not enough budget. This makes it even more rewarding when we bring on a new SLED client and can truly help them beyond their expectations.
They’re used to buying products and then being too short-staffed to get the full value out of it. The product becomes a burden instead of helping them.
We’re coming in as a service and are very collaborative with our clients. If they don’t have the time, they can take a hands-off approach knowing we’re watching over things. But something like assessing their compliance is where it’s more of a back and forth.
They can count on us to guide them and be there when they have questions, instead of just handing them a tool and wishing them luck.
5. What is Foresite’s approach to cybersecurity and compliance for SLED organizations? How does it differ from your commercial approach?
Start somewhere. There’s often a sense of futility among SLED organizations because they have so much to secure and so many data protection requirements with few resources.
But most incidents can be prevented with good cyber hygiene, so we help SLED clients prioritize what they CAN do to reduce risk. We’ll have a conversation and figure out where they’re at the highest risk, starting somewhere small so we can mature over time.
With a commercial approach, clients often have more resources, tools, and people. Though, it doesn’t always mean they’re doing better than SLED organizations. But with SLED, it’s more about helping them effectively manage their solutions instead of just giving them another tool.
They just don’t have the time or the internal staff to do it effectively on their own. It’s often difficult for them to find people with the right experience, and when they do, retaining them is also a challenge. Once they gain the necessary experience and training, they become more valuable to the commercial market, and SLED can’t compete with those staffing expenses.
They end up losing people and that ongoing knowledge. Or they have someone who’s been there forever, but they’re the music teacher who also does IT.
So, we can bring that expertise without the cost of full-time employees.
6. How do you stay ahead of a rapidly evolving threat landscape?
We’re always learning, and our staff is constantly achieving new certifications. A lot of it is driven by our clients and the technologies they’re adopting. We can see what’s coming and stay on top of that, but we need to be well versed in what they have.
We also partner with cutting-edge solutions like Apptega that make it much easier to give clients visibility into their cyber posture and where they need to reduce risk. That part is critical.
Back when we did assessments as a one-off project like most people do, we would give them a report, go over it, and discuss the findings and what they needed to do. That was all great, but having the ability to show them their maturity over time and consult with them on an ongoing basis adds a lot more value than the old method.
7. How do you scale your services to accommodate a growing list of customers and regulatory requirements?
By having solutions that can scale from 25 users to enterprise. And going back to having a tool like Apptega, being able to take data from a single assessment and crosswalk against multiple regulatory requirements.
We have a lot of clients that want to align to NIST or the CIS top controls, but they might also have some health or PCI data. So, we can match one piece of evidence to requirements across multiple values.
It’s much easier than the old way, trying to interpret and share information through manual spreadsheets.
8. How do you bundle your security and compliance services (pricing, packaging, positioning, etc.)?
We tailor solutions to meet the client’s needs and their budget. Some may have to prioritize the top risks and mature over time. Others need a full suite of outsourced services to address an immediate need or requirement — monitoring their environment for threats, helping them align their program to a framework, doing ongoing testing so we know what vulnerabilities are exploitable and get those addressed before they can be compromised, making sure patching gets done.
We have solutions in all those areas, so we can do a la carte or provide a full-fledged outsourcing service.
9. Do you have a favorite compliance framework? Why?
NIST CSF. Any organization can use it as a recognized cyber framework baseline for their cyber program, whether they’re public or private and regardless of size. And it’s the underpinning of requirements for HIPAA, PCI, and other flavors of NIST.
It also has fewer requirements and uses a 1-5 maturity scale versus a yes or no approach to controls. If we’re starting a client from nothing and we throw something like PCI or ISO at them, they just see a sea of red. And again, they can feel hopeless or that their efforts are futile if there are hundreds of requirements and they’re not currently fulfilling them. It’s hard to get them excited about that.
But if we start with NIST CSF, maybe they’re a 0 or a 1 in some areas but a 3 or 4 in others. They can see progress and it feels achievable. And we explain that almost no one is a 5 in everything.
That’s what makes it my favorite framework. I want to help them get where they need to go without feeling like they’re facing an unclimbable mountain.
10. What are the most common gaps or pitfalls you see when it comes to compliance management?
That it doesn’t exist. Compliance is only addressed when it’s time for an audit. Maybe they address the gaps, but that doesn’t always happen. So, they think they’re compliant — that they’re done until someone makes them do it again.
Organizations often come to us after an incident thinking they’re compliant. But the minute we start looking at things, it becomes clear they never were. Either they didn’t have a validated assessment or their auditor wasn’t technically trained and didn’t understand, for example, that they had a firewall but the NEL rule was open, so they weren’t secure. They checked a box, but it wasn’t implemented in a compliant way.
It’s a false sense of security because networks change, solutions change, requirements change, and threats are always evolving. Compliance needs to be an ongoing process.
11. What are your thoughts on compliance as a growth area for Foresite (and for other providers)?
We in the industry need to guide clients to make compliance an ongoing initiative so they remain protected from gaps that could lead to preventable data breaches, regulatory fines, lawsuits, and even denial of cyber insurance claims.
We must show them why aligning to a recognized framework is so important, even if they’re not required to do so. If you’re relying on commercial insurance as a backstop, there could be loopholes in the wording of those policies around meeting data protection requirements. If you ever need to defend that, you want to be able to say you’re aligned to CSF or ISO, or you’ve validated that you’re meeting HIPAA requirements through an assessment and ongoing compliance management.
12. What’s your outlook for the provider space over the next several years? What does it mean for Foresite?
We’re seeing a contraction of MSPs and security providers via acquisition. For Foresite, that means we need to continue aligning with the best-in-class providers and remaining vendor-agnostic. Because when the big players buy up a bunch of their competitors and try to do everything, it becomes difficult to be the best in every single area. We want to make sure there’s still options out there for clients that want separation, that want to pick and choose the best solutions for them without having to do everything through a single provider.
We’re going to provide the firewalls, the endpoint solution. We’re going to be your SIEM. The result is the key, not which provider has the most marketing dollars.
13. Are you seeing increased financial pressure within the industry? If so, what does it mean for providers, specifically regarding the need to meet revenue goals?
Yes, it’s expensive to continue to innovate, to retain experienced staff and provide continuous training. We must show value, or clients won’t renew. We can’t win business by discounting — that’s a race to the bottom, and service will suffer. It’s not a long-term strategy, and we’re in it for the long term.
14. How are you using Apptega today?
Our governance, risk, and compliance (GRC) team uses Apptega when performing assessments and audits. It’s easier for them to have everything in one place for evidence collection — doing scoring, providing clients with well-written reports on the findings, gaps, risk register, and assessment.
We also offer a managed compliance service for clients who want to self-assess. Or maybe they’ve been assessed or audited but need a tool to manage compliance and ongoing consultation to help them understand new requirements, how changes in their environment affect their compliance, and what current threats put them at risk.
So, if they don’t need an assessment but they’re concerned about managing and tracking compliance, we’ll give them a subscription along with some GRC consulting, help them onboard, and get that assessment uploaded. We can look at evidence to provide opinions and make sure it was validated, especially if they self-assessed.
Then we’ll consult with them on a quarterly basis to see what’s changed in their network, which solutions they’ve added, or whether they’ve moved something from on-prem to the cloud. We keep them on track, discussing changing compliance requirements and whether they’ve done the required testing, guiding them through the process.
We’re coaching them through it instead of just giving them a tool and hoping they’ll know what to do.
15. How important is compliance automation or other technologies (please specify)?
It’s important to automate data collection and the multiple requirements and sub-requirements that each piece of evidence may satisfy. It’s equally important to recognize that compliance cannot be fully automated. There are many aspects where a human review of the evidence is needed to verify that it’s implemented in a way that meets the requirement or to provide a compensating control or an auditor’s opinion on why the requirement does not apply. AI isn't capable of those nuances.